SEC Turning Up the Heat: SolarWinds and Its CISO Charged with Fraud Regarding Cyber-related Disclosures
Key Takeaways
- With the SolarWinds enforcement action, the SEC continues to ratchet up its enforcement against companies that fail to properly disclose their cybersecurity incidents and risks.
- By naming the SolarWinds CISO as a defendant, the SEC is reaching further down the executive chain of command than normally is the case and seeking individual liability against a corporate technical expert to send a stronger deterrent message.
- The fact that SolarWinds had numerous federal government agencies as customers of its software and those agencies were impacted by the massive cyberattack may be part of the explanation for the SEC’s decision to bring an enforcement action against SolarWinds and its CISO.
Background: The SEC’s Increased Focus on Cybersecurity
On October 30, 2023, the United States Securities and Exchange Commission (SEC) announced charges against SolarWinds, an Austin-based technology company that provides customers with network monitoring software, and Timothy Brown, SolarWinds’ Chief Information Security Officer (CISO), for fraud and internal control failures relating to known cybersecurity risks that culminated in a nearly two-year long cyberattack against SolarWinds and some of its customers, including federal and state government agencies, and that was first disclosed to the public in December 2020.
The charges are the latest development in a recent string of SEC activity targeting cybersecurity risks and disclosure policies on both the rulemaking and enforcement fronts. Following a keynote address made at the outset of 2022 by SEC Chair Gary Gensler that harped on the agency’s increased focus on cyber issues in light of the increasing risk of cyberattacks, the SEC proposed two new cybersecurity rules: one aimed at public companies, and the other at registered investment advisors and funds. This past August, the SEC finalized and adopted the rule governing public companies, which, amongst other changes, requires companies to report (via Form 8-K) material cybersecurity incidents within four days after determining the incident was material, and to annually disclose (via Form 10-K) material information regarding their cybersecurity risk management, strategy and governance on an annual basis. Meanwhile, the SEC continues to work toward finalizing its second rule, which would require registered investment advisors and funds to adopt written cybersecurity policies and to report significant cybersecurity incidents.
Coming in the midst of these initiatives, the SolarWinds complaint perhaps comes as little surprise. The SEC investigation into SolarWinds (and its customers) has been long-running. As early as 2021, reports surfaced that the SEC had sent investigative letters to customers of SolarWinds as part of the agency’s investigation, seeking information on whether those customers had been victims of the breach (and whether they, too, had failed to properly disclose it). The SEC even posted a specific Frequently Asked Questions (FAQ) page on its website for those entities from which it had requested information.
The charges announced on October 30, 2023, represent an ever-expanding frontier in the SEC’s crackdown on cybersecurity and disclosure failures at public companies. The SEC has ratcheted up the charges it is willing to bring for cybersecurity failures over recent years, having announced charges for disclosure control failures against First American Financial in 2021, and charges for non-scienter based fraud against Pearson plc last year. With the SolarWinds complaint, the SEC has upped the ante yet again by bringing its first scienter-based fraud charges against a company, and its first charges against an individual employee, in a cybersecurity enforcement action. The SEC action is broad in its scope: not only does the complaint allege inadequacies in SolarWinds’ cybersecurity disclosures in the wake of a significant cyberattack, but also in the leadup to that attack.
Summary of SEC Action
The SEC’s complaint alleges that from October 2018 through January 2021, Brown and SolarWinds continuously overstated the quality and extent of SolarWinds’ cybersecurity practices and controls, while engaging in a scheme to conceal the true state of these practices from both its investors and customers.
According to the SEC’s complaint, as SolarWinds’ then-Vice President of Security and Architecture and head of the Information Security group, Brown was responsible for the overall security program at SolarWinds during the relevant period. In this role, Brown was the “owner” and “approver” of a “Security Statement” on SolarWinds’ public website that he and SolarWinds routinely disseminated to customers, and which the SEC alleges painted an inaccurate picture of SolarWinds’ cybersecurity practices. Brown and SolarWinds also misleadingly touted SolarWinds’ cybersecurity strength in blog posts, podcasts and press releases, and by distributing links to the “Trust Center” of SolarWinds’ website, which contained a copy of the Security Statement and prominently featured Brown. These material misstatements and omissions also extended to SolarWinds’ public SEC filings—filings that company executives submitted in reliance on sub-certifications signed by Brown—in which SolarWinds consistently disclosed no more than “generic and hypothetical” cybersecurity risks.
Despite these public statements, the SEC alleges that internally SolarWinds and Brown were aware that the reality was far different than the rosy picture being painted for investors and customers. Internal communications and presentations made clear that numerous policies and procedures in the public-facing Security Statement were not being followed, and that the potential consequences of SolarWinds’ vulnerabilities being exploited were catastrophic. These communications and presentations candidly described a company that was “not very secure”; was in a “vulnerable state”; was “so far from being a security minded company”; and that suffered from a “systemic issue around lack of awareness for Security/Compliance” that would threaten SolarWinds with “major reputation and financial loss.”
Not only was SolarWinds’ cybersecurity allegedly significantly weaker than what was conveyed to the public, but the SEC alleges that the company’s disclosure mechanisms were also deficient to ensure that vulnerabilities were consistently reported up to management. Brown himself is alleged to have failed to adequately report issues and to have turned a blind eye to warnings and red flags, including repeated warnings about a critical access-management issue with SolarWinds’ VPN network. The SEC has charged that SolarWinds’ accounting controls were not designed to reasonably protect the company’s key assets. Indeed, the SEC’s complaint focuses at length on the fact that SolarWinds’ cybersecurity risks did not merely reside at the periphery of its business—they directly threatened certain of SolarWinds’ “crown jewel” assets (assets that, if compromised, could materially impact the company), including its flagship Orion product which represented 45% of the company’s revenue in 2020.
These system shortcomings culminated in a massive cyberattack on the Orion product—known as the “SUNBURST” attack—executed over the course of nearly two years. As SolarWinds gathered evidence of the attacks over the course of 2020, including an attack against one of its federal government customers, and the number of red flags increased, the SEC alleges that SolarWinds continued to conceal the issues with its Orion product, including by lying to customers and repeating the same false and materially misleading generic risk disclosures in SEC filings. When SolarWinds (with Brown’s assistance) eventually filed a Form 8-K disclosure on December 14, 2020, the SEC alleges that the company continued to mislead the public as to its knowledge of the attack’s impact. In particular, SolarWinds disclosed that the vulnerability it had discovered “could potentially allow” a hacker to compromise the server on which Orion products ran, whereas in reality SolarWinds knew that hackers had already breached SolarWinds’ systems on at least three occasions.
Lessons for Public Companies and Their Key Cybersecurity Officers
The charges against SolarWinds and Brown represent one of the SEC’s strongest warnings yet that cybersecurity remains at the center of the agency’s agenda, and that its enforcement program will charge public companies and their key cybersecurity professionals who run afoul of the federal securities laws. This, combined with the SEC’s new rules regarding cybersecurity disclosures, significantly raises the stakes for public companies and their officers and directors. Several lessons arise from the SEC action:
- Companies must implement controls calibrated to their unique cybersecurity risk environments. The SEC’s complaint focused on the fact that certain “crown jewel” assets of SolarWinds were at the crosshairs of the cybersecurity failures. In addition, the SEC specifically acknowledged that cybersecurity practices and disclosures are “particularly material” and “especially important for a company like SolarWinds whose primary product is not only software, but software that other organizations install to manage their own computer networks.” Thus, when the potential fallout from a cybersecurity incident is significant, a company’s cybersecurity controls and disclosure mechanisms must be appropriately calibrated.
- It is not sufficient for companies to simply “talk the talk” when it comes to cybersecurity, they must also “walk the walk.” The SEC’s complaint repeatedly alleges that claims made publicly by SolarWinds, with Brown’s knowledge, regarding the company’s cybersecurity practices differed drastically from the practices that were actually being followed internally, and from what the company and Brown knew to be the case. Companies have to ensure that their cybersecurity-related disclosures are consistent with significant internal developments relating to the subject matter of those disclosures.
- A cyberattack will draw the SEC’s attention, but the SEC’s scrutiny will not stop there. Although the SEC’s charges against SolarWinds and Brown extend to their alleged disclosure failures around the announcement of the SUNBURST attack, the charges also sweep in numerous cybersecurity risks allegedly known by the company and Brown for an extended period, but about which they failed to provide adequate and accurate disclosure. The SEC’s complaint asserts that “SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack.” This action serves to remind companies to consider how their cybersecurity risks and related disclosures apart from the cyberattack will stand up to SEC examination.
- The SEC is ready to penalize corporate technical experts who have certain involvement in a company’s disclosure processes. Brown was one of several corporate executives who helped draft the Form 8-K announcing the SUNBURST cyberattack and he “signed sub-certifications attesting to the adequacy of SolarWinds’ cybersecurity internal controls, which SolarWinds’ executives relied on in connection with SolarWinds’ periodic reports that were filed with the SEC.” What is not clear from the SEC’s complaint is to what degree Brown misled other SolarWinds executives, or the precise degree to which those other SolarWinds executives also had some of the knowledge about the known cybersecurity risks which the SEC accuses Brown of concealing from the public.